tag:blogger.com,1999:blog-87141087320053856712012-02-17T03:23:18.011+01:00How to cope with digital identitiesAndréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.comBlogger331100tag:blogger.com,1999:blog-8714108732005385671.post-26702548188228466062011-10-06T16:36:00.000+02:002011-10-06T16:39:41.704+02:00

Today this announcement was made: Facebook SIM brings social network to dumb phones. And this may well be the first convergence of the first world and the second world, convergence of the real world and the digital social networking world. And as I predicted, Facebook is one of the parties involved. Google will follow soon, mark my words... Facebook Real Name policy will of course have a major

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-6101785654926058752011-09-21T08:36:00.002+02:002011-10-06T16:36:42.975+02:00

Recently a few service providers initiated their Real Name policy. They require their users to use their real name in order to be able to use the services. Google+ and Facebook prohibit the use of an alias as a name. One of the most famous victims is Identity Woman. The service providers claim that the use of the real name of users helps creating more trust on the Internet. There are several

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-64847419389013885122011-06-07T22:45:00.000+02:002011-06-07T22:45:24.060+02:00

And so finally RSA aknowledged that the march hack can in fact result in risks. It took some while and perhaps because of this the tweetosphere exploded by all experts mocking RSA: SecurID is unsafe now. And the fact that RSA said to replace unsecure SecureID's for only a few 'high risk' customers made things even worse. And alas, for RSA things will not get better soon. Being vague about the

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-66950576271891829842011-06-04T08:52:00.000+02:002011-06-04T08:52:05.665+02:00

A new trend is born, the secure personal digital locker. It used to be called the Digital Vault, but locker feels a lot more personal. What's the purpose of a locker? It's a storage area for your personal data. The principle behind the locker (as defined by Google's Schmidt) is that you are the owner of your data. Interestingly, now I know of at least 4 dedicated cloud based locker systems: Qiy

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com5tag:blogger.com,1999:blog-8714108732005385671.post-84624185247874332182011-05-10T18:35:00.000+02:002011-05-10T19:02:19.624+02:00

I wish that we could get rid of Quick Wins in programs and projects. In the past I experienced that many projects were legitimated by calculating a business case with a few quick wins. And based on that business case a steering commitee would then decide to start the project. And the first goal would be to harvest the low hanging fruits...But in almost as many cases the projects were re-scoped

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-23391338401114631152011-05-04T11:34:00.010+02:002011-05-05T22:34:49.862+02:00

(this post is not really about Identity, just a translation of my article from november 2009)Nowadays everything is turning AAS: software, infrastructure, platform, security, identity, storage. More and more the traditional IT gets more foggy, we are more and more in the clouds. What remains of the old IT profession is to design and manage new things that have not yet been migrated to the cloud.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-56411160175253454522011-04-12T14:58:00.003+02:002011-05-04T11:33:24.566+02:00

Traditionally Identity Management is almost core business for many companies. Of course we all sell products and services to consumers, but those are commodities when it comes to identifying the trouble we have managing our business. You have to comply to all kinds of laws and regulations and operating an identity business is no small task. There are lots of small processes and you have to

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-9940561973073400712011-02-24T22:17:00.002+01:002011-02-24T22:58:20.633+01:00

Writing blog posts is not business as usual. Most posts take a while to become published. And since I have to do more work and write some more stuff for the Dutch information security magazine, this blog gets less attention than I planned beforehand.A new tool on my Nokia N900 smartphone (great little device) might help me writing small posts easier. Perhaps I can create a few smaller blog posts,

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-34624202230692237362009-10-27T14:35:00.012+01:002010-06-22T16:29:08.667+02:00

As I wrote earlier am involved in the Dutch OpenID.nl+ initiative to help grow the acceptance of OpenID (and to a lesser degree Information Card) in The Netherlands. Within the initiative Identity Providers and Relying Parties define an interoperability standard whereby Relying Parties can rely on digital identities from Identity Providers, based on the verification level of identity attributes

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-41135689203522410822009-09-10T14:49:00.001+02:002009-09-10T15:02:10.015+02:00

As I wrote earlier, the biggest problem in the identity 2.0 space is the absence of trustworthy public Identity Providers. I called for a trust framework that would enable differentiation in trust levels for identity providers. Of course that requires some major party to define the standards.There is some great news about the development of a standard trust framework for identity providers.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-70117669140461253712009-08-26T20:45:00.003+02:002009-08-26T21:06:50.360+02:00

After playing Mafia Wars for a few weeks, I accepted an invitation to join Spymaster. Spymaster is all about the spying game, you're a secret agent (either Russian, American or British) doing jobs and killing enemies. Here too you get energy and health, time based, and use it to do tasks and attacking other agents.Gameplay is easy. Energy permitting, you select a task and do it. By doing a task

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-27264627131106462672009-08-26T17:29:00.004+02:002009-08-26T18:38:51.633+02:00

A smart game, quite addictive. The first levels are mastered by doing Jobs. Jobs like 'Auto Theft' or 'Recruit a Rival Crew Member'. You need enough energy to do the job. And energy just grows in time (depending on the type of the character you choose up front). A job gives you hard cash and experience points. The cash can be used to buy you weapons or property. That's a second dimension of the

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-42047410269642607562009-08-26T16:56:00.004+02:002009-08-26T18:39:09.149+02:00

If you're on Facebook, you must have noticed invitations from friends to join them in an online game. A few weeks ago I decided to take part in a few games, what use is a game if you don't play it?So I became a member of a mafia family in the Mafia Wars game. Later I got involved in Spymaster and lately I have been running a farm in Farm World.What they have in common is how a player can grow

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-87079499150137841592009-06-20T13:41:00.005+02:002009-06-20T19:46:51.165+02:00

The best book about identities that I read is Identity Crisis by Jim Harper. After you read the book, please come back and check this concept:A digital identity is issued by an identity provider. The relying party has to be able to interpret the data in order to act on them. Important information is the trustworthyness of the identity provider (trust level). But just as important is the trust

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-9258211104382204892009-06-18T08:57:00.003+02:002009-06-18T09:34:14.907+02:00

Since there's no trust hierarchy for identity providers yet, some other mechanism should be developed to be able to trust third party identity providers. At least if we want to be able to use identity information within the digital identity, the digital passport, to act on. As long as a digital identity is used instead of userid and password, there is no problem. Any digital identity used on a

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-15208332275381621412009-05-03T16:21:00.003+02:002009-05-03T16:34:14.755+02:00

This week the 2009 version of the European Identity Conference will be held in Munich, Germany. I will be attending the conference and give a presentation in the Cloud Computing side track on thursday afternoon. I hope to get a lot of responses to the claims based access control (cbac) ideas and to the trusted identity provider solutions. More information on the idconf site.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-74480413791445759822009-04-16T15:25:00.006+02:002009-04-16T21:24:09.759+02:00

I just read one big ad (dressed as an article) for the myOneLogin service. It is some kind of identity broker, directed at enterprises and SMB's, facilitating single sign-on for cloud applications. It's a $3/month per user service that might replace the use of OpenID for enterprises users. It also addresses strong authentication needs and can cope with SAML.Anyway: this has got nothing to do with

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-77035247849003428132009-03-31T22:50:00.005+02:002009-03-31T23:10:55.269+02:00

Just a short update:from 5th till the 7th of may I will attend the European Identity Conference in Munich. I will be presenting a few thoughts about Access Control in the Cloud, covering Claims Based Access Control and Identity Provisioning (in the fog...). My talk will follow Martin Kuppinger's in Stuart Boardman's forum. I'm looking forward to meeting lots of experts in the field.Munich, twice

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-57662554472488728632009-02-26T12:10:00.002+01:002009-02-26T13:00:16.709+01:00

Mike jones reported the availability of the Identity Metasystem Interoperability Version 1.0. This looks good news to me, progress being made, so all hands on deck for reviewing.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-85151974333743677112008-12-15T22:38:00.005+01:002008-12-15T23:14:55.356+01:00

What's the problem with people knowing my identity attributes, my personal data? Okay, not all data are public, but why should I hide my identity? What personal data should I protect?I have been thinking about this privacy thing a lot lately. Partly because we have to protect privacy stuff by law. But we protect all information, you might say that all privacy data are protected implicitly if we

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-80515454230676240012008-12-15T22:30:00.004+01:002008-12-15T23:22:33.241+01:00

I just like to point to the ibpedia.nl community project, that aims to be a research portal for information security professionals.The project was started by a few Dutch enthusiasts, who (in vain) tried to use wikipedia for knowledge sharing. Due to the fact that a lot of knowledge was still in research phase, wikipedia could not host the items, so a new wiki was started.ibpedia got its name form

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-81292383043891594642008-10-28T11:50:00.002+01:002008-10-28T11:55:48.096+01:00

Ian Yip posted the results from his earlier survey. Lots of interesting pictures and I am curious about any further analysis.You can find the results over here.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com1tag:blogger.com,1999:blog-8714108732005385671.post-38406180823357090072008-10-06T12:02:00.000+02:002008-10-06T12:04:50.440+02:00

For those interested, there's a survey on outsourcing Identity Management. You can find it over here.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-78023571959489726562008-09-30T12:00:00.003+02:002008-09-30T12:13:02.476+02:00

For a few years we have been working within a SOA environment and we implemented some form of the RBAC security paradigm. But since a few iterations of our SOA we feel that we arrive at the limits of RBAC. RBAC is fine within a single security domain, like an application, but as soon as you cross your security borders, like you will do in a SOA, you run against problems.Some RBAC limitations in

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com3tag:blogger.com,1999:blog-8714108732005385671.post-87093383645142822922008-08-11T09:22:00.002+02:002008-08-11T09:26:20.158+02:00

Great idea, thanks Kalya:

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-13609928813389379952008-07-16T21:54:00.003+02:002008-07-16T22:06:01.376+02:00

A few months ago I tried to get the ubuntu community interested in porting an infocard identity selector to ubuntu. No luck since.By chance I found out that there is progress on the linux front. A month ago the bandit project published a .deb DigitalMe install package for Ubuntu. You can find it at the digitalme download site.And yes, it works. The package delivers a painless install of the

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-50591223328713774272008-06-29T08:59:00.003+02:002008-06-29T09:33:47.698+02:00

I just learned about the Liberty Identity Assurance Framework project. It seems that there are thoughts about the problem that I described earlier, see my remarks about a trust model for identity providers. The framework consists of an XML schema, that (in fact) describes several standard claims about the use of identity information. You might say, my proposed 'authlevel' and 'authmethod' claims.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-88908496643800903342008-06-27T12:48:00.005+02:002008-06-27T13:55:49.880+02:00

A few weeks ago I blogged about the problem of identifying the trust level of an identity provider. See my blogpost earlier. Since, I've been pondering about this problem and discussing it with a few experts.In PKI the trust problem is solved. There are root-level CA's, who trust eachother by means of cross certification. And that is a heavily secured environment with underpinning contracts,

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-76939611273120750002008-06-02T22:43:00.002+02:002008-06-02T22:52:38.936+02:00

A lot of fuss about a claimed hack of Microsoft Cardspace by some German researchers. Microsoft acted quickly and they should, trust is vital. Users have to trust security measures before they use them. And they should understand why and how these measures work.Glad that the matter of the hack is solved. But there is still the problem of users who are not aware of the why and how.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-79067653682364041932008-05-15T10:27:00.003+02:002008-05-15T10:33:32.119+02:00

Andy Updegrove just mentioned this initiative. So being a firm believer in Open Everything, I just signed this petition.Have a look en feel free to add your name to the form too.

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0tag:blogger.com,1999:blog-8714108732005385671.post-91828363776607104412008-04-09T11:43:00.003+02:002008-06-27T13:57:46.096+02:00

I would like my company to use infocard with claims as an identification/authentication method for customers and personnel, even as an authorisation scheme. We are a relying party, mapping claims to user authorisations in our information systems. But what is the level of trust of an infocard that's presented by a user.In order to verify an on line identity, a relying party will validate the

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com1tag:blogger.com,1999:blog-8714108732005385671.post-64196866278511718042008-04-01T11:36:00.004+02:002008-04-01T11:41:50.387+02:00

I'm trying to get support for adding infocard capabilities within ubuntu. Kim Cameron posts his tippingpoint indicator, showing the number of infocard aware systems (see http://www.identityblog.com/?p=869) and I'd like to add numerous workstations to that number.Find my postings (user meneer) at http://tinyurl.com/23nrzmIt's hard fighting non believers :)

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com1tag:blogger.com,1999:blog-8714108732005385671.post-10117219763641622362008-03-20T16:01:00.002+01:002008-03-20T16:04:33.333+01:00

Here I am, trying to find time to post my thoughts about Identity, internet, access control. Please don't wait for me to blog...

Andréhttp://www.blogger.com/profile/16204828200814835798noreply@blogger.com0